To improve security of computer systems, various efforts have been made in both hardware and software to lock down a system and ensure that unauthorized access is not permitted. One such effort is full disk encryption (FDE), in which virtually all data stored on a disk is encrypted.
In a pre-boot environment, Unified Extensible Firmware Interface (UEFI) code in accordance with the UEFI Specification Version 2.0 (dated Feb. 21, 2006) or later revision, which calls for the separation of pre-boot and boot environments into a variety of phases, may execute before handoff to an OS. Many FDE schemes require some pre-operating system (OS) user authentication. But this user-authentication cannot wholly occur in the OS since the OS image is itself encrypted. As such, a rich plurality of authentication tokens/credentials and credential providers need to be hosted in this pre-OS regime. In some systems, a different OS, e.g., Linux™, is launched in the pre-OS space to perform the user authentication. However, this pre-OS launch of a different OS is typically outside of the UEFI specification. Further, this pre-OS launch then needs to return to the platform basic input/output system (BIOS) (UEFI or legacy) and continue to the main OS boot. This is a huge impediment to boot time, is a large storage overhead, and effectively entails duplication of many platform BIOS capabilities.